1. 02 Oct, 2016 2 commits
  2. 18 Sep, 2016 1 commit
    • James Hogan's avatar
      MIPS: KVM: Check for pfn noslot case · 3b23ff99
      James Hogan authored
      commit ba913e4f upstream.
      
      When mapping a page into the guest we error check using is_error_pfn(),
      however this doesn't detect a value of KVM_PFN_NOSLOT, indicating an
      error HVA for the page. This can only happen on MIPS right now due to
      unusual memslot management (e.g. being moved / removed / resized), or
      with an Enhanced Virtual Memory (EVA) configuration where the default
      KVM_HVA_ERR_* and kvm_is_error_hva() definitions are unsuitable (fixed
      in a later patch). This case will be treated as a pfn of zero, mapping
      the first page of physical memory into the guest.
      
      It would appear the MIPS KVM port wasn't updated prior to being merged
      (in v3.10) to take commit 81c52c56 ("KVM: do not treat noslot pfn as
      a error pfn") into account (merged v3.8), which converted a bunch of
      is_error_pfn() calls to is_error_noslot_pfn(). Switch to using
      is_error_noslot_pfn() instead to catch this case properly.
      
      Fixes: 858dd5d4 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: "Radim Krčmář" <rkrcmar@redhat.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: kvm@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [james.hogan@imgtec.com: Backport to v4.7.y]
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      3b23ff99
  3. 17 Sep, 2016 1 commit
  4. 15 Sep, 2016 15 commits
  5. 12 Sep, 2016 17 commits
  6. 11 Sep, 2016 1 commit
  7. 07 Sep, 2016 1 commit
    • Ian Abbott's avatar
      staging: comedi: comedi_test: fix timer race conditions · 871499e3
      Ian Abbott authored
      [ commit 403fe7f3 upstream.
      
        Patch is cut down a bit from upstream patch, as upstream patch fixed
        parts that don't exist in this version.  Also, some identifiers were
        renamed, so patch description has been edited accordingly
        -- Ian Abbott
      ]
      
      Commit 73e0e4df ("staging: comedi: comedi_test: fix timer lock-up")
      fixed a lock-up in the timer routine `waveform_ai_interrupt()` caused by
      commit 24051247 ("staging: comedi: comedi_test: use
      comedi_handle_events()").  However, it introduced a race condition that
      can result in the timer routine misbehaving, such as accessing freed
      memory or dereferencing a NULL pointer.
      
      73e0... changed the timer routine to do nothing unless a
      `WAVEFORM_AI_RUNNING` flag was set, and changed `waveform_ai_cancel()`
      to clear the flag and replace a call to `del_timer_sync()` with a call
      to `del_timer()`.  `waveform_ai_cancel()` may be called from the timer
      routine itself (via `comedi_handle_events()`), or from `do_cancel()`.
      (`do_cancel()` is called as a result of a file operation (usually a
      `COMEDI_CANCEL` ioctl command, or a release), or during device removal.)
      When called from `do_cancel()`, the call to `waveform_ai_cancel()` is
      followed by a call to `do_become_nonbusy()`, which frees up stuff for
      the current asynchronous command under the assumption that it is now
      safe to do so.  The race condition occurs when the timer routine
      `waveform_ai_interrupt()` checks the `WAVEFORM_AI_RUNNING` flag just
      before it is cleared by `waveform_ai_cancel()`, and is still running
      during the call to `do_become_nonbusy()`.  In particular, it can lead to
      a NULL pointer dereference because `do_become_nonbusy()` frees
      `async->cmd.chanlist` and sets it to `NULL`, but
      `waveform_ai_interrupt()` dereferences it.
      
      Fix the race by calling `del_timer_sync()` instead of `del_timer()` in
      `waveform_ai_cancel()` when not in an interrupt context.  The only time
      `waveform_ai_cancel()` is called in an interrupt context is when it is
      called from the timer routine itself, via `comedi_handle_events()`.
      
      There is no longer any need for the `WAVEFORM_AI_RUNNING` flag, so get
      rid of it.
      
      Fixes: 73e0e4df ("staging: comedi: comedi_test: fix timer lock-up")
      Reported-by: default avatarÉric Piel <piel@delmic.com>
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Cc: Éric Piel <piel@delmic.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
      871499e3
  8. 03 Sep, 2016 2 commits